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Executive Summary 



Introduction 



On May 3, 2006, the home of a VA employee was burglarized resulting in the theft of a 
personally-owned laptop computer and an external hard drive, which was reported to 
contain personal information on approximately 26 million veterans and United States 
military personnel. The VA Secretary was not informed of the incident until May 16, 
2006, almost 2 weeks after the data was stolen. The Congress and veterans were not 
notified until May 22, 2006. 

The Office of Inspector General (OIG) initiated this review to determine: (1) whether the 
employee had an official need to access the data that was stolen, whether he was 
authorized to take it home, and whether it was properly safeguarded; (2) whether proper 
notifications of the stolen data were made, and whether those notifications were 
pursued in an appropriate and timely manner; (3) whether VA had policies and 
procedures in place to safeguard personal and proprietary information maintained by 
VA; and (4) whether VA had sufficiently addressed long-standing OIG reported 
information security weaknesses. The Senate and House veterans' affairs committees, 
as well as several other members of Congress, have expressed considerable interest in 
this review. 

The burglary was reported to the local police. When the employee discovered that the 
computer equipment was among the items stolen, he immediately notified VA 
management in the Office of Policy, Planning, and Preparedness, including Security 
and Law Enforcement personnel. The employee advised all of them that the stolen 
personal computer equipment contained VA data. 

Results 

Employee Not Authorized to Take VA Data Home 

Because the employee was responsible for planning and designing analytical projects 
and supporting surveys involving all aspects of VA policies and programs, he was 
authorized access to, and use of, VA databases. The employee explained that much of 
the data that he had stored on the stolen external hard drive was for his "fascination 
project" that he self-initiated and worked on at home during his own time. 

Because of past criticism on the reliability of the National Survey of Veterans, his project 
focused on identifying approximately 7,000 veterans who participated in the 2001 
survey, in order to compare the accuracy of their responses with information VA already 
had on file. He began the project in 2003, but could not recall spending time working on 
it during 2006. 
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To conduct this project, the employee took home vast amounts of VA data and loaded it 
on an external hard drive. The stolen laptop did not contain VA data. The employee 
reported that the external hard drive that was stolen likely included large record extracts 
from the Beneficiary Identification and Records Locator Subsystem (BIRLS) that 
contained records on approximately 26 million living veterans. The extract contained 
veterans' social security numbers, full names, birth dates, service numbers, and 
combined degree of disability. He also reported that the stolen hard drive likely 
contained an extract of the August 2005 Compensation and Pension (C&P) file, 
containing personal identifiers of over 2.8 million living veterans. 

While the employee had authorization to access and use large VA databases containing 
veterans' personal identifiers in the performance of his official duties, his supervisors 
and managers were not aware that he was working on the project, and acknowledged 
that if they had, they would not have authorized him to take such large amounts of VA 
data home. In fact, one manager could not justify taking such a large amount of data 
home under any circumstances. 

By storing the files on his personal external hard drive and leaving it unattended, the 
employee failed to properly safeguard the data and unnecessarily exposed it to risks 
greater than those existing in the workplace. While the employee stored the laptop and 
the external hard drive in separate areas of the house, he acknowledged that he took 
security of the data for granted. 

The loss of VA data was possible because the employee used extremely poor judgment 
when he decided to take personal information pertaining to millions of veterans out of 
the office and store it in his house, without encrypting or password protecting the data. 
This serious error in judgment is one for which the employee is personally accountable. 
The Department has already proposed administrative action. 

An Assistant United States Attorney has declined prosecution of the employee for any 
criminal activity on his part relating to taking VA data to his home. The OIG, in 
coordination with the Federal Bureau of Investigation (FBI) and the Montgomery County 
Police Department in Maryland, are continuing to pursue the criminal investigation into 
the burglary. On June 28, 2006, the stolen laptop computer and external hard drive 
were recovered intact. Based on all the facts gathered thus far during the investigation, 
as well as the results of computer forensics examinations, the FBI and OIG are highly 
confident that the files on the external hard drive were not compromised after the 
burglary. 

Processing the Notification of the Stolen Data Was Not Appropriate or Timely 

Despite Mr. Michael McLendon, Deputy Assistant Secretary for Policy, being notified of 
the theft and loss of VA data on May 3, 2006, it was not until May 5, 2006, that the 
Information Security Officer (ISO) for OPP&P interviewed the employee to determine 
more facts about the loss. The ISO reported that the employee was so flustered he 
decided not to discuss the matter; rather he had directed the employee to write down 
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what data was lost. The employee's written account of the lost data was essentially an 
identification of database extracts with little quantified information concerning the 
significance or magnitude of the incident. This is important because this document 
served as the basis for all further notifications in VA up to, and including, the Deputy 
Secretary. 

Mr. McLendon received the report of the stolen data from the OPP&P ISO on May 5, 
2006. instead of providing the report to higher management, Mr. McLendon advised his 
supervisor, Mr. Dennis Duffy, Acting Assistant Secretary for Policy, Planning, and 
Preparedness, of his intent to rewrite the report because it was inadequate and did not 
appropriately address the event. He submitted his revised report to Mr. Duffy on May 8, 
2006. 

Our review of Mr. McLendon's revisions determined that his changes were an attempt to 
mitigate the risk of misuse of the stolen data. He focused on adding information that 
most of the critical data was stored in files protected by a statistical software program, 
making it difficult to access. This, however, was not the case because we were able to 
display and print portions of the formatted data without using the software program. 
Mr. McLendon made these revisions without consulting the programming expert on his 
staff or with the employee who reported the stolen data. Mr. Duffy provided the report 
to Mr. Thomas Bowman, VA Chief of Staff, on May 10, 2006. Mr. Duffy also did not 
attempt to determine the magnitude of the stolen data nor did he talk to the employee. 

Mr. McLendon did not inform his direct supervisor, Mr. Duffy, when he learned of the 
incident on May 3, 2006. Mr. Duffy advised us that he did not learn of the theft until 
Friday morning. May 5, 2006, when he spoke with the OPP&P ISO, in what Mr. Duffy 
described as a rather "casual hallway meeting." 

Mr. Duffy did not discuss the matter initially with Mr. McLendon, noting that there had 
been a long and very strained relationship with him. Mr. Duffy said that Mr. McLendon 
had a very strong belief that, as a political appointee, he reported in some fashion to the 
Secretary and that there was no need for a "careerist" to supervise him. Mr. McLendon 
characterized the office as one of the most dysfunctional organizations in VA, and that it 
was one of the most hostile work environments he ever worked in. 

Mr. Duffy said he just did not perceive this as a crisis. In hindsight, he added that his 
greatest regret is that he "failed to recognize the magnitude of the whole thing." Both 
Mr. Duffy and Mr. McLendon bear responsibility for the impact that their strained 
relationship, which both acknowledged, may have had on the operations of the office in 
handling the aftermath of the incident. 

We also concluded that Mr. John Baffa, Deputy Assistant Secretary for Security and 
Law Enforcement, who was notified of the incident on May 4, 2006, also failed to take 
appropriate action to determine the magnitude and significance of the stolen VA data. 



VA Office of Inspector General 



Case 1:06-cv-01038-JR Document18-3 Filed 01/09/2007 Page7of32 
Review of Issues Related to the Loss of VA Information Involving the Identity of Millions of Veterans 



Mr. Duffy notified Mr. Bowman of the data theft on May 9, 2006, and followed up with 
the report the next day. Shortly thereafter, Mr. Bowman provided it to Mr. Jack 
Thompson, Deputy General Counsel, and asked him to provide an assessment of the 
agency's duties and responsibilities to notify individuals whose identifying information 
was compromised. On May 10, 2006, Mr. Bowman informed Mr. Gordon Mansfield, 
Deputy Secretary, of the burglary and the stolen VA data. 

It was not until the morning of May 16, 2006, after the Chief of Staff was informed by the 
Inspector General that the stolen data most likely contained records with personal 
identifiers on approximately 26 million records, that Mr. Bowman notified the Secretary 
of the theft and magnitude of the lost data. 

The delay in notifying the Secretary was spent waiting for legal advice from the Office of 
General Counsel (OGC). This 6-day delay can be attributed to a lack of urgency on the 
part of those requesting this advice and those responsible for providing the response. 
This is not to say that everyone who was notified of the incident failed to recognize the 
importance of this matter, but no one clearly identified it as a high priority item and no 
one followed up on the status of the request until after the May 16, 2006, call from the 
Inspector General. 

Although Mr. Bowman acknowledged he knew the VA data stolen could affect the 
records of millions of veterans, he demonstrated no urgency in notifying the Secretary. 
He notified the Deputy Secretary the day after he learned of the loss. While the Deputy 
Secretary does not recall discussing the magnitude of the number of veterans affected 
by the theft, he too decided not to raise the issue to the Secretary until they knew more 
information on what VA's legal responsibilities were and more about the magnitude of 
the problem. Once again, no one attempted to contact the employee who reported the 
theft to determine the magnitude of the lost data. The OIG was able to determine the 
extent of the stolen data after one interview with the employee on May 15, 2006. 

Information Security Officials Acted with Indifference and Little Sense of Urgency 

On May 5, 2006, the OPP&P ISO forwarded information concerning the theft of the data 
to the District ISO, who is responsible for coordinating ISO activities among VA Central 
Office staff offices. He also submitted it to the Security Operations Center (SOC), Office 
of Information and Technology, which has responsibility for assessing and resolving 
reported information security incidents. However, the OPP&P ISO's incident report had 
significant errors and omissions, and information security officials did not adequately 
attempt to identify the magnitude of the incident or elevate it until overtaken by the 
events on May 16, 2006. 

At nearly every step, VA information security officials with responsibility for receiving, 
assessing, investigating, or notifying higher level officials of the data loss reacted with 
indifference and little sense of urgency or responsibility. At no time did the District ISO 
or SOC attempt to interview the employee who reported the data stolen to clarify 
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omissions in the OPP&P ISO's report or to gain a better understanding of the scope and 
severity of the potential data loss. While the District ISO elevated the matter to 
Mr. Johnny Davis, Acting Associate Deputy Assistant Secretary for Cyber Security 
Operations, this occurred as another "hallway conversation," and he was not provided 
any details on the nature of the missing data. No further notifications were made up the 
chain-of-command. 

Twelve days after receiving the original incident report, the SOC had made no 
meaningful progress in assessing the magnitude of the event and, ironically, had 
passed responsibility to gather information on the incident back to the OPP&P ISO to 
review it as a possible privacy violation, an area outside the jurisdiction of the SOC. 
The OPP&P ISO also serves as the Privacy Officer. 

Policies and Procedures Do Not Adequately Protect Personal or Proprietary Data 

The potential disclosure of Privacy Act protected information resulting from the theft of 
an employee's personal hard drive raised the issue of whether VA policies adequately 
safeguard information that is not stored on a VA automated system. Based on our 
review of VA policies that existed at the time of the incident; policies that have been 
issued since the incident; and interviews with VA employees Chief Information Officers, 
Privacy Officers, and ISOs; we concluded that VA policies, procedures, and practices 
do not adequately safeguard personal or proprietary information used by VA employees 
and contractors. 

We found a patchwork of policies that were difficult to locate and fragmented. None of 
the policies prohibited the removal of protected information from the worksite or storing 
protected information on a personally-owned computer, and did not provide safeguards 
for electronic data stored on portable media or a personal computer. 

The loss of protected information not stored on a VA automated system highlighted a 
gap between VA policies implementing information laws and those implementing 
information security laws. We found that policies implementing information laws focus 
on identifying what information is to be protected and the conditions for disclosure; 
whereas, policies implementing information security laws focus on protecting VA 
automated systems from unauthorized intrusions and viruses. As a result, VA did not 
have policies in place at the time of the incident to safeguard protected information not 
stored on a VA automated system. 

Although policies implemented by the Secretary since the incident are a positive step, 
we determined that more needs to be done to ensure protected information is 
adequately safeguarded. We found that VA's mandated Cyber Security and Privacy 
Awareness training are not sufficient to ensure that VA and contract employees are 
familiar with the applicable laws, regulations, and policies. We also found that position 
sensitivity levels designations for VA and contract employees are either not done or are 
not accurate. In addition, we found that VA contracts do not contain terms and 
conditions to adequately safeguard protected information provided to contractors. 
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We determined that VA needs to enhance its policies for identifying and reporting 
incidents involving information violations and information security violations to ensure 
that incidents are promptly and thoroughly investigated; the magnitude of the potential 
loss is properly evaluated; and that VA management, appropriate law enforcement 
entities, and individuals and entities potentially affected by the incident are notified in a 
timely manner. 

Information Security Control Weaknesses Remain Uncorrected 

For the past several years, we have reported vulnerabilities with information technology 
security controls in our Consolidated Financial Statements audit reports. Federal 
Information Security Management Act audit reports, and Combined Assessment 
Program reports. The recurring themes in these reports support the need for a 
centralized approach to achieve standardization, remediation of identified weaknesses, 
and a clear chain-of-command and accountability structure for information security. 
Each year, we continue to identify repeat deficiencies and repeat recommendations that 
remain unimplemented. These recommendations, among other issues, highlight the 
need to address security vulnerabilities of unauthorized access and misuse of sensitive 
data, the accuracy of position sensitivity levels, timeliness of background investigations, 
and cyber security and privacy awareness training. We have also reported information 
technology security as a Major Management Challenge for the Department each year 
for the past 6 years. 

Recommendations 

We recommend that the Secretary: 

• Take whatever administrative action deemed appropriate concerning the 
individuals involved in the inappropriate and untimely handling of the 
notification of stolen VA data involving the personal identifiers of millions of 
veterans. 

• Establish one clear, concise VA policy on safeguarding protected information 
when stored or not stored in VA automated systems, ensure that the policy is 
readily accessible to employees, and that employees are held accountable for 
non-compliance. 

• Modify the mandatory Cyber Security and Privacy Awareness training to 
identify and provide a link to all applicable laws and VA policy. 

• Ensure that all position descriptions are evaluated and have proper sensitivity 
level designations, that there is consistency nationwide for positions that are 
similar in nature or have similar access to VA protected information and 
automated systems, and that all required background checks are completed 
in a timely manner. 
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• Establish VA-wide policy for contracts for services that requires access to 
protected information and/or VA automated systems, that ensures contractor 
personnel are held to the same standards as VA employees, and that 
information accessed, stored, or processed on non-VA automated systems is 
safeguarded. 

• Establish VA policy and procedures that provide clear, consistent criteria for 
reporting, investigating, and tracking incidents of loss, theft, or potential 
disclosure of protected information or unauthorized access to automated 
systems, including specific timeframes and responsibilities for reporting within 
the VA chain-of-command and, where appropriate, to OIG and other law 
enforcement entities, as well as appropriate notification to individuals whose 
protected information may be compromised. 

Comments 

The Secretary agreed with the findings and recommendations and provided acceptable 
improvement plans. See Appendix A for the Secretary's response and implementation 
plans for each recommendation. For the Secretary's complete response, including the 
attachments, please refer to the enclosed computer disk. We will follow up on the 
implementation of the recommendations until they are completed. 



GEORGE J. OFFER 
Inspector General 
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Introduction 

Purpose 

The VA Office of Inspector General (OIG) investigated the circumstances surrounding 
the theft of VA records containing veterans' and other individuals' personal identifiers, 
which were electronically stored in an employee's personal computer external hard 
drive maintained at the employee's residence. The purpose of this investigation was to 
determine the following: 

• Whether the employee had an official need to access the data that was 
stolen, whether he was authorized to take it home, and whether it was 
properly safeguarded. 

• Whether proper notifications of the stolen data were made, and whether those 
notifications were pursued in an appropriate and timely manner. 

• Whether VA had adequate policies and procedures in place to safeguard 
personal and proprietary information maintained by VA. 

• Whether VA has sufficiently addressed long-standing OIG reported 
information security weaknesses. 

Background 

On Wednesday, May 3, 2006, the home of a VA Information Technology Specialist, 
hereafter referred to as "the employee," was burglarized resulting in the theft of a 
personally-owned laptop computer and an external hard drive, which was reported to 
contain personal information on approximately 26 million veterans and United States 
military personnel. 

The burglary was discovered by the employee's wife on the afternoon of May 3, 2006, 
who immediately reported it to the local police. When the employee arrived home on 
the day of the burglary shortly after 5:00 p.m. and discovered that the computer 
equipment was among the items stolen, he immediately notified Office of Policy, 
Planning, and Preparedness (OPP&P) management. He also notified the VA Office of 
Security and Law Enforcement, which is part of the OPP&P organization. The 
employee advised all of them that the stolen personal computer equipment contained 
VA data. 

The VA Secretary was not informed of the incident until May 16, 2006, almost 2 weeks 
after the VA data was reported stolen. The delay in notifying the Secretary resulted in 
delays in notifying the Congress and veterans. The public announcement by VA did not 
occur until May 22, 2006, which was almost 3 weeks after the burglary occurred. 
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The employee works for OPP&P in VA Central Office (VACO). The employee was 
responsible for providing data analysis and statistical expertise to support the functions 
of OPP&P. Among other duties, OPP&P conducts independent analyses for VA 
decision maimers regarding existing policies and programs, including administering a 
national statistical center to support the continuous enhancement of benefits and 
services to veterans. Projects can be requested by the employee's supervisors and 
managers, VA officials outside OPP&P, VA contractors, and entities external to VA, or 
self-initiated by the employee. 

An Assistant United States Attorney has declined prosecution of the employee for any 
criminal activity on his part relating to tal<ing VA data to his home. The OIG, in 
coordination with the FBI and the Montgomery County Police Department in Maryland, 
are continuing to pursue the criminal investigation into the burglary. On June 28, 2006, 
the stolen laptop computer and external hard drive were recovered intact. Based on all 
the facts gathered thus far during the investigation, as well as the results of computer 
forensics examinations, the FBI and OIG are highly confident that the files on the 
external hard drive were not compromised after the burglary. 

Scope and Methodology 

To address the objectives of this review, we interviewed the employee; his supervisors, 
project managers, and co-workers; privacy, information security, and VA law 
enforcement officials; VA Austin Automation Center (AAC) officials; Office of General 
Counsel (OGC) attorneys, including the General Counsel and Deputy General Counsel; 
the Chief of Staff; the Deputy Secretary; and other Department officials. We reviewed 
the employee's position description and performance standards; the local jurisdiction's 
police report of the theft; e-mail, notes, memoranda, and other documentation; 
chronologies of events prepared by the employee, OPP&P staff, OGC staff, and others; 
documentation of the employee's access to VA databases; the VA Security Operations 
Center (SOC) incident report; and other pertinent information. We reviewed cyber 
security and information security policies published by VA and its organizational 
components, relevant online training modules, and VA contract documents and contract 
administration records. We also conducted a forensic analysis of the contents of the 
compact disks (CDs) and other media the employee had at his home on the day of the 
burglary, as well as a forensic search of the contents of two other computers at his 
home. 
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Results and Conclusions 

Issue 1 : Whether the Employee Had an Official Need to Access the 
Data That Was Stolen, Whether He Was Authorized to Take It Home, 
and Whether It Was Properly Safeguarded 

Findings 

The employee reported having VA databases and other files containing veterans' 
personal identifiers on the external hard drive that was stolen from his home, including 
large record extracts from the Beneficiary Identification and Records Locator Subsystem 
(BIRLS) and the Compensation and Pension (C&P) file. BIRLS is a computer file of 
information concerning veterans and benefits. Among other purposes, it is used to 
determine the location of a veteran's file or to record a veteran's death. Some of the 
BIRLS database fields include name, social security number, military service number, 
claim number, date of birth, date of death, and dates of military service. BIRLS is not a 
national security system. The C&P file consists of records of veterans and beneficiaries 
receiving VA benefits, and includes database fields such as name, social security 
number, disability diagnostic codes and ratings, and addresses. 

Because the employee was responsible for planning and designing analytical projects 
and supporting surveys involving all aspects of VA policies and programs, he was 
authorized access to, and use of, these and other large VA databases. However, at the 
time of the burglary he had no official need or permission to take the data home. In 
addition, he reported that the data stored on the stolen external hard drive was neither 
password-protected nor encrypted. The employee explained that much of the data that 
he had stored on the stolen external hard drive was for a "fascination project" that he 
self-initiated and worked on at home during his own time. It is important to note, 
however, that this self-initiated project was related to VA and, if the employee was 
successful in accomplishing his goal, he believed it would be of benefit to VA decision 
makers. His supervisors or managers were not aware that he was working on the 
fascination project, and acknowledged that if they did, they would not have authorized 
him to take such large amounts of VA data home. 

The Employee Had an Official Need to Use Large VA Databases 

According to the employee's current position description, he is responsible for designing 
and programming information systems and databases "comprised of millions of records" 
to facilitate analyses used by senior VA officials for policy consideration. He is 
responsible for planning and designing analytical projects and studies to improve the 
management of databases and for supporting ongoing VA surveys. The employee is 
expected to plan and execute his assignments independently and to initiate projects and 
methods of analyzing large databases. The position description notes, in particular, that 
the incumbent supports in-house analyses on the data collected through the National 
Survey of Veterans (NSV). His performance standards for the 12-month period ending 
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September 30, 2006, included providing computer specialist expertise to support the 
administration of the NSV and to support a program of research to continually enhance 
the veteran survey program. 

We confirmed that he used VA data in a multitude of analytical projects requiring access 
to major VA databases that contain personal information involving millions of veterans, 
and that access to these databases v\/as requested and granted for official purposes. 
For example: 

• In February 2002, the Veterans Health Administration (VHA) approved giving 
the employee access to an extract of its National Enrollment Data file, which 
includes a list of all veterans enrolled to receive VA medical care. The extract 
includes such identifiers as name, date of birth, address, social security 
number, and enrollment status and priority. Access was granted for the 
purpose of supporting national reporting of enrollment data. 

• In August 2005, the employee obtained access to the full C&P file, which the 
AAC provided to OPP&P so it could review issues related to the OIG report, 
Review of State Variances in Disability Compensation Payments, issued 
May 19, 2005 (Report No. 05-00765-137). 

• In October 2005, based on Veterans Benefits Administration (VBA) approval, 
the AAC gave the employee access to an extract of the BIRLS file. Mr. Dat 
Iran, Acting Director of the Data Management and Analysis Service in 
OPP&P and one of the employee's project managers, requested the access, 
stating that, "We are frequently required to conduct data cross matching 
across various VA databases and the BIRLS is a key database that we would 
like to have access to." Mr. Tran also specifically noted in the request for 
access the employee's data matching efforts to help identify veterans 
exposed to mustard gas. 

We also confirmed that the employee used these and other databases for authorized 
purposes. Following are some examples: 

• In October 2004, using the NSV database provided by the contractor who 
conducted the survey, the employee responded to a request from VHA for 
information on the insurance coverage of veterans who received VA inpatient, 
outpatient, and emergency room care, by priority status. 

• In April 2005, as part of an OPP&P ongoing analysis of recipients of the 
Vocational Rehabilitation and Employment Program, the employee prepared 
frequency distributions on demographic variables, military service, and 
disabilities for veterans entitled and not entitled to such program services, and 
matched the social security numbers of veterans in both groups against the 
C&P file. 
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• In August 2005, he prepared a spreadsheet for the Congressional Budget 
Office showing VA disability compensation by percentage of disability, using 
the C&P file and the NSV database. 

Some of the employee's recently requested and ongoing work that required access and 
use of large VA databases included: 

• An employability research study using the C&P file to compare veterans who 
had discontinued their involvement in the vocational rehabilitation program 
with the veterans' degree of disability. 

• A project working with the Institute for Defense Analyses (IDA), which was 
conducting a study of the geographical variations in compensation payments 
to veterans, to provide IDA an extract with scrambled social security numbers 
which was based on information in BIRLS. The employee was working on 
this project shortly before he reported his house had been burglarized. 

The employee described to us the projects he had been working on at his home using 
most of the files he had stored on his stolen external hard drive. One project involved 
the 2001 NSV. The employee said that the contractor responsible for conducting the 
survey contacted approximately 7,000 of the 14,000 veterans whose names they 
sampled from VA files (veterans who were receiving VA benefits or health care) but, 
rather than providing OPP&P the social security numbers of only those veterans 
contacted, they provided all 14,000 social security numbers. The employee told us he 
was attempting to identify the 7,000 veterans actually contacted so he could compare 
their survey responses with information VA already had on file about them. He said he 
wanted to determine the extent to which the responses were accurate because OPP&P 
had received much criticism regarding the reliability of the survey. 

The employee told us the survey data included the telephone numbers of all veterans 
contacted so he was able to begin the identification process by comparing those 
telephone numbers with numbers in the VA files from which the sample was taken. He 
said he then used a 2001 online reverse telephone directory to continue identifying 
other veterans. The employee explained that if he judged a name and address in the 
reverse telephone directory to match a name and address of one of the 14,000 
veterans, he inserted the veteran's social security number into his file. 

The employee told us he was personally interested in the process of identifying the 
approximately 7,000 veterans, referring to the effort as his "fascination project." He said 
he began the project in 2003, but could not recall spending time working on it during 
calendar year 2006. According to the employee, he worked on the project at home 
because it was very time-consuming and he could not devote sufficient time to it at the 
office. He said he was willing to invest his own time to see if he could make progress in 
identifying the veterans. The employee told us he never came up with a list of veterans 
that he considered to be adequately matched. 
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Ms. Susan Krumhaus, OPP&P Project Manager for the NSV, told us she worked with 
the employee on the survey until sometime in 2004. She said the two of them wanted 
to validate survey responses to determine, for example, if veterans experienced 
memory lapses while taking the survey and what could be done to improve that. 
However, she said the validation the employee was doing occurred several years ago, 
and she was not aware that he was working on the project in May 2006. 

Mr. Michael McLendon, Deputy Assistant Secretary for Policy and the employee's 
second-level supervisor, told us the NSV is the largest survey of veterans conducted, 
and the only source for certain data to characterize the veteran population. He said he 
assumed the employee was attempting to match survey veterans with veterans in the 
C&P database or in other records to obtain additional information about them and their 
cohort group. He noted that VA did not have good integrated data to profile different 
cohorts of veterans, and that he believed any attempt to give the agency better insight 
into the veteran population by matching the sun/ey data with information already in VA 
databases was a legitimate work effort, although he was unaware of the project. 

The employee described a second project involving files he had saved on his stolen 
hard drive. He said he had attempted to identify veterans exposed to mustard gas and 
other hazardous material, most of whose names, but not social security numbers, were 
in a Department of Defense (DoD) data file he received from VBA. The employee told 
us that once a veteran was identified, he provided the veteran's social security number 
to C&P Service so VBA could begin outreach efforts. According to the employee, the 
January 2006 extract of the BIRLS file he had taken to his home provided him, for the 
first time, veterans' service numbers and by matching those numbers with service 
numbers in the mustard gas file he could then determine, from the BIRLS file, the 
veterans' social security numbers. Mr. Dat Tran, Acting Director, Data Management 
and Analysis Service, confirmed that OPP&P was asked to help identify veterans DoD 
included in its mustard gas file, and that he assigned the project to the employee. 

Part of the issue of who knew what concerning the work of the employee was that it was 
not clear who actually supervised him. For example, in a recent memorandum from 
Mr. Tran, he makes the point that even though the employee stated that he was his 
supervisor, he was not. Mr. Tran said they were colleagues and that Mr. Michael Moore 
performs the supervisory functions of the employee. While Mr. Moore is the employee's 
first-line supervisor, he admitted that he had no idea what projects the employee was 
assigned, nor did he have any understanding of the size or contents of the databases 
with which the employee routinely worked. According to Mr. McLendon, Mr. Moore was 
given responsibility for first-line supervision of the employee as a result of the 
reassignment of personnel that occurred because of intense disagreement between 
Mr. Dennis Duffy, Acting Assistant Secretary for OPP&P, and himself. 

The Employee Had No Official Need to Have the Data at Home 

As discussed in Issue 5 of this report, VA regulations require that VA will safeguard an 
individual against the invasion of personal privacy (38 C.F.R. 1 .576). However, we 
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could not identify any VA policy that specified how protected information not maintained 
on a VA automated system should be safeguarded, particularly when it is removed from 
the workplace. 

The employee told us he had been taking data containing personal identifiers home 
since 2003, never asked anyone's permission to do so and, to his knowledge, no one 
was aware he had it at home. The employee noted, however, that he was issued a VA 
laptop computer in 2004 and 2005, along with remote access to VA's virtual private 
network (VPN) and frequently took the laptop, with personal identifiers in it, home, and 
that his supervisors were aware of it. 

According to the employee, when he turned in his VA laptop in January 2006 he 
continued to take work home and began using a personal laptop and external hard 
drive, which he had purchased in mid-2005. He used CDs, Digital Versatile Discs 
(DVDs), floppy disks, and, more recently, a personal flash drive to transport VA data 
home, where he transferred it to his personal external hard drive. He said he did not 
believe the information he saved to his external hard drive was at risk because he was 
careful not to access the Internet with the external hard drive connected to his laptop. 
He also stored the external hard drive and his laptop in separate parts of his house with 
the hard drive hidden from view, but acknowledged he took the physical security of the 
VA data for granted. The employee advised us that he did not store VA data on his 
personal laptop, but did store unencrypted VA data without password protection on the 
external hard drive. 

Mr. Tran told us the employee never told him he took data with personal identifiers 
home and he was not aware the employee had done so. On May 17, 2006, Mr. Tran 
wrote a short statement for VA management noting that the employee's action was self- 
initiated, and not at the direction of OPP&P management. 

Of particular note is the fact that OPP&P managers characterize the employee as a very 
motivated, hard-working, and dedicated individual who worked long hours and produced 
meticulous work. The employee was described as a detailed and comprehensive 
analyst with respect to programming and analyzing data. For his most recent 
performance appraisal period, the employee was rated "Outstanding," the highest rating 
in VA's performance appraisal system. He also received a monetary award for his 
accomplishments in December 2005. 

The Employee Likely Had Large VA Databases on His Stolen External Hard Drive 

According to the employee, he may have had six files containing VA data stored on his 
stolen external hard drive. He said he had attempted to recall which files may have 
been on the external hard drive based on what he knew was on a flash drive and some 
CDs he had at his home, none of which were stolen, and based on what he knew he 
had been working on at home. The six files were: 



VA Office of Inspector General 



Case 1:06-cv-01038-JR Document18-3 Filed 01/09/2007 Page18of32 
Review of Issues Related to the Loss of VA Information Involving the Identity of Millions of Veterans 



• A BIRLS extract, with information as of January 2006, containing 
approximately 26 million records. According to the employee, 19.6 million of 
those records contained social security numbers. Additionally, the employee 
stated that the extract contained information such as the veteran's full name, 
date of birth, service number(s), and combined degree of disability. The 
employee stated he was certain he transferred the file from his VA desktop 
computer to his personal hard drive, but he could not recall if he had deleted it 
before the burglary. 

• An extract of the August 2005 C&P file, containing social security numbers, 
matched with veterans' full names and dates of birth from BIRLS, and 
containing records of over 2.8 million living veterans. 

• A file containing information obtained from veterans during the 2001 NSV. 
Data collected included socio-demographic and economic characteristics, 
military background, health status, VA benefit usage, and anticipated burial 
plans. According to the employee, this file contained records, all of which 
included telephone numbers, on over 20,000 veterans. He stated the records 
included responses received from the survey questions and contained over 
6,200 social security numbers. 

• A file extracted from both the VHA National Enrollment Data file and the C&P 
file. The file represented the population from which some veterans were 
sampled during the NSV (other veterans were selected based on random 
telephone dialing). According to the employee, the file contained over 5.5 
million records, containing the veteran's address, date of birth, claim number, 
combined degree of disability, enrollment priority, social security number, and 
telephone number. 

• A file the employee created matching veterans' names and addresses 
contained in the above NSV sample frame with names and addresses 
contained in a reverse telephone directory look-up file. The employee did not 
quantify the number of veteran records in this file, but noted that some 
records may have contained social security numbers. 

• A file of over 6,700 service members and civilians who, according to DoD, 
had been exposed to mustard gas and other substances. According to the 
employee, many entries contained service numbers but few included social 
security numbers. He stated that information on a veteran may have included 
name; date of birth; exposure type, site, and date; service connected 
percentage; and diagnostic codes. 

We determined that the above files, numbers of records, and identifying information 
were on the CDs, flash drive, and other media the employee had at his home at the time 
of the burglary, and thus could have been on his stolen hard drive. Subsequently, it 
was determined that as many as 2.2 million U.S. military personnel could have been in 
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the BIRLS data that was stolen, including 1.1 million active duty personnel, 430,000 
National Guard members, and 645,000 reserve members. 

The employee noted, and we confirmed, that he had a file on his flash drive containing 
data extracted from the VHA patient treatment file regarding a single veteran who 
visited VA health care facilities on 57 different dates. The file of the deceased veteran 
contained a partial social security number and diagnostic codes describing each visit. 
The employee said he did not believe this file was transferred to his hard drive because 
he used it only to debug a program to summarize such information and said the file was 
of no further use to him. Regarding another file found on one of the employee's CDs, 
he told us it pertained to a project he was working on using vocational rehabilitation data 
and said he did not believe it was on his stolen hard drive because he had no interest in 
working on that project at home. 

Conclusion 

While the employee had authorization to access and use large VA databases containing 
veterans' personal identifiers in the performance of his official duties, he had no need or 
authorization to take the data home. However, by storing the files on his personal 
external hard drive and leaving it unattended, the employee failed to properly safeguard 
the data and unnecessarily exposed it to risks greater than those existing in the 
workplace. While much has been made about the burglary of the employee's home and 
theft of the external hard drive, the loss of VA data was possible because the employee 
used extremely poor judgment when he decided to take personal information pertaining 
to millions of veterans out of the office and store it in his house without password 
protecting and encrypting the data. The employee is personally accountable for this 
serious error in judgment. The Department has already proposed administrative action. 
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Issue 2: Whether the Response of Managers and Senior Executives in 
OPP&P to the Notification of the Stolen Data Was Appropriate and 
Timely 

Findings 

Although senior managers and other staff in OPP&P were informed of the possible loss 
of VA data on IVlay 3, 2006, the date of the burglary at the employee's home, the 
incident was not communicated up the chain-of-command until the VA Chief of Staff 
was notified 6 days later on May 9, 2006. This delay occurred in large part because 
senior executives in OPP&P failed to take appropriate and timely action to determine 
the extent and scope of the stolen data. Furthermore, VA Security and Law 
Enforcement officials focused on whether VA "equipment" had been stolen and not on 
the fact that the theft included VA information. Finally, OPP&P executives erroneously 
assumed that the SOC was sufficiently addressing the reported data loss and would 
make appropriate notifications. 

OPP&P Officials Waited 6 Days before Notifying the Office of the Secretary and 
Failed to Determine the Magnitude of the Data Loss 

Upon discovering the theft of his personally-owned laptop computer and external hard 
drive on May 3, 2006, the employee telephoned his office around 5:00 p.m. to report the 
burglary and data theft. During the next couple of hours, the employee talked to 
Mr. McLendon, Mr. Tran, and Mr. Kevin Doyle, Security and Law Enforcement Police 
Operations Team Leader. The employee told us that he advised each of them about 
the burglary and possible theft of VA data. 

Shortly after 5:00 p.m., the first person the employee talked to was Mr. Doyle. 
Mr. Doyle's recollection of the call was that the employee only told him that he had a 
burglary at his home and that he had personal property missing. Mr. Doyle told us he 
did not remember being told anything about VA data. He added that the caller was very 
upset and noted that this could be "a career-ending incident," but did not get the 
employee's name because he was on a Metro train when he took the call. Mr. Doyle 
recalls telling the caller that since the incident did not occur at VA and no VA property 
was taken, the caller needed to coordinate through his local police department. 
Mr. Doyle said he did not query the individual further for details, and the call only lasted 
a couple of minutes. Mr. Doyle told us that because he was on annual leave the next 
day, he telephoned Mr. John Baffa, Deputy Assistant Secretary for Security and Law 
Enforcement, to ask if anyone reported a burglary or a missing computer. 

The employee's recollection of this call was that he did tell Mr. Doyle that the stolen 
computer equipment had VA data on it. When questioned further about what he told 
Mr. Doyle, the employee said, "I wouldn't just report the theft of my private property to 
him." Also, when we interviewed Mr. Baffa, he testified that Mr. Doyle told him the next 
day that the employee told him that there might have been some VA material on the 
stolen computer equipment. 
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About 5:30 p.m., the employee then talked to Mr. McLendon. Mr. McLendon stated that 
the employee was very upset about the incident and that the local police were still at the 
employee's residence. According to Mr. McLendon, he did not discuss the specific type 
or amount of data possibly located on the stolen external hard drive with the employee 
because, "There was no way to have a detailed dialogue at that time about what data 
was missing." Mr. McLendon told the employee to take the next day off to deal with the 
burglary, and never personally followed up with the employee again. 

Around 6:45 p.m., Mr. Iran telephoned the employee to obtain a better sense about the 
data theft. The employee advised Mr. Tran that he believed that the stolen external 
hard drive potentially had a copy of a BIRLS extract that he had downloaded from the 
AAC. Mr. Tran did not attempt to obtain any further information at that time, nor did he 
have a follow-up conversation with the employee until May 8, 2005. 

On Thursday, May 4, 2006, Mr. Tran advised Mr. McLendon and the OPP&P 
Information Security Officer (ISO) that the employee believed that a copy of a BIRLS 
extract was probably on the external hard drive that was stolen. At the direction of 
Mr. McLendon, Mr. Tran met with the ISO, who also serves as the Privacy Officer (PO) 
for OPP&P, to identify what action was required. No further significant action was taken 
that day since the employee was at home, and no notifications were made to senior VA 
management officials. 

Despite being notified of the loss of VA data on May 3, 2006, Mr. McLendon did not 
inform his direct supervisor, Mr. Duffy. Mr. Duffy advised us that he did not learn of the 
theft until Friday morning, May 5, 2006, around 9:45 a.m., when he spoke with the 
OPP&P ISO, in what Mr. Duffy described as a rather "casual hallway meeting." The 
ISO advised Mr. Duffy of the circumstances surrounding the burglary and theft of 
protected veteran data, and indicated that he was working with Mr. McLendon and 
Mr. Tran on the matter. 

When we asked Mr. Duffy if he discussed the matter with Mr. McLendon on May 5, 
2006, he said no, noting that there had been a long and very strained relationship with 
him. Mr. Duffy said that Mr. McLendon had a very strong belief that, as a political 
appointee, he reported in some fashion to the Secretary and that there was no need for 
a careerist to supervise him. Mr. McLendon characterized the OPP&P as one of the 
most dysfunctional organizations in VA, and that it was one of the most hostile work 
environments "he ever set foot in." 

During the hallway conversation with Mr. Duffy, the OPP&P ISO also stated that he had 
notified the SOC as part of his ISO duties and responsibilities. Mr. Duffy recalled 
directing the ISO to provide him with as comprehensive a list as he could of the data 
sets and the specific personal identifier data elements that were believed to have been 
stolen and the magnitude. We determined that Mr. Duffy later briefed the VA Chief of 
Staff on the stolen data without following up to determine if a comprehensive list was 
developed or if the magnitude of the loss was determined. 
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When asked why no one In OPP&P attempted to quantify the loss until directed to do so 
on May 16, 2006, by OGC, Mr. Iran stated that they followed the prescribed procedure 
issued by Cyber Security or the SOC, that basically says when you have an incident 
you report it your ISO, and then your ISO will follow the prescribed process. Mr. Iran's 
assertions that he was unfamiliar with the size of the BIRLS extract are undermined by 
an e-mail sent to him by the employee on April 6, 2006, approximately a month before 
the burglary, in which the employee noted that he downloaded the April 2006 BIRLS 
extract and that the file contained 26,503,436 records. 

Mr. Duffy asked the OPP&P ISO to advise him what the procedures and obligations 
were with respect to notification, since he was both the ISO and PO. Both Mr. Duffy 
and Mr. McLendon admitted that they had no knowledge of what the SOC would do with 
the information, but assumed erroneously that the SOC would make appropriate 
notifications. In fact, Mr. Duffy said he did not even know that there was a SOC before 
the burglary. 

Mr. McLendon recalled thinking he fully expected the next day to see a "wave of IG 
people," or people calling from upstairs saying "come up here and give us a simple 
version of this and what you think our potential exposure may be, but nobody ever 
called." Instead, he noted, "We waited. The process has been notified. The process 
will tell us what we're supposed to do here." 

Mr. Duffy and Mr. McLendon said that they relied almost exclusively on OPP&P's GS-13 
ISO/PO to investigate and report his findings to the SOC, thereby absolving them of any 
responsibility for insuring that law enforcement had all of the information about what 
was actually stolen. Ironically, when questioned about his role as an ISO for the SOC, 
the OPP&P ISO said "I'm not an investigator. I'm a computer tech guy that has a job." 

The OPP&P ISO interviewed the employee on Friday, May 5, 2006. He advised us that 
because the employee was so flustered and because he knew the employee was going 
to be interviewed by a "bunch of people," he did not want to become part of it. 

The OPP&P ISO told us that within 3 or 4 minutes into the conversation the employee 
was going in so many different directions he could not take good notes, so he told the 
employee to write it down and send it to him. Based on the employee's report, which 
was received around 2:00 p.m., the ISO drafted a "White Paper on Lost Data" that he e- 
mailed to Mr. Duffy and Mr. McLendon around 3:30 p.m. Shortly after that, 
Mr. McLendon responded to Mr. Duffy and the ISO indicating that he would review the 
document over the weekend. No further action on this matter appears to have occurred 
during the next 2 days (weekend), including any notifications to senior VA management 
officials. 

On Monday morning. May 8, 2006, Mr. McLendon advised Mr. Duffy that, in his view, 
the OPP&P ISO's white paper was inadequate and did not appropriately address the 
event. Mr. McLendon stated he would re-draft the ISO's white paper. In preparation for 
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finalizing the revised white paper, Mr. McLendon stated that IVIr. Iran would query the 
employee about the data that was on the hard drive and disks, citing a need to "be as 
precise as possible and not leave huge gaps where people will jump to conclusions." 
Mr. McLendon stated that the section describing what may have been lost would be 
updated, and that Mr. Iran "accelerated his discussions with the employee." 

Mr. McLendon's assertion that Mr. Iran continued to query the employee about the data 
that was on the hard drive and disks is disputed by Mr. Iran, who advised us that his 
sole purpose in contacting the employee on May 8, 2006, was to determine if CDs and 
the flash drive were actually stolen during the burglary, not what was on them. Mr. Iran 
stated that prior to May 16. 2006, he never attempted to quantify the number of records 
in any of the databases believed to have been stolen in any of his conversations with 
the employee, and he was not asked to. 

Later that day, Mr. McLendon forwarded the revised white paper to Mr. Duffy, Mr. Iran, 
and the OPP&P ISO. Mr. McLendon, who titled his memorandum "Possibly Lost 
Veterans Data," noted that he had added further detail for clarity. Our review of the two 
papers indicated that Mr. McLendon's changes to the white paper focused on providing 
more background information on the burglary and who was notified, and information 
concerning the fact that most of the critical data was stored in files formatted in 
Statistical Analysis System (SAS). 

This revised white paper which was completed on May 8, 2006, and put in 
memorandum format, inaccurately retained the May 5, 2006, date and the OPP&P 
ISO's name and title. Also, while the memorandum did provide additional clarification 
on some aspects, it did not address the magnitude or extent of the stolen data in terms 
of numbers of veterans. Even though the ISO's May 5, 2006, white paper indicated that 
one of the files believed to be stolen contained "BIRLS' First, Last, and Middle Names 
for each veteran in the C&P Mini-Master, using SSN as the matching criteria," there is 
no testimonial or documentary evidence that Mr. McLendon either personally or via a 
subordinate attempted to quantify the number of records in the stolen BIRLS or C&P 
files until OGC requested further review on May 16, 2006. 

In what we conclude was an effort to mitigate the loss of data, Mr. McLendon's primary 
contribution to the editing of the OPP&P ISO's white paper was the assertion that SAS 
formatting protected most of the stolen data from all but SAS programmers with access 
to an expensive copy of the SAS application. This is not the case because we were 
able to display and print a portion of the SAS formatted data without the SAS program. 
Finally, Mr. McLendon, who is not an expert in SAS, failed to consult with the OPP&P 
SAS expert before revising and forwarding the white paper to upper management; 
implying that the SAS formatting afforded protection for most of the stolen data. 

Late in the afternoon on Tuesday, May 9, 2006, Mr. Duffy met with Mr. Thomas 
Bowman, VA Chief of Staff, to discuss a number of issues, including the burglary that 
Mr. Duffy said he characterized to Mr. Bowman as a "fairly serious breach of sensitive 
data." Mr. Duffy suggested to Mr. Bowman that it was important for the VA senior 
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leadership to meet and assess VA's affirmative obligation to notify the beneficiary 
population whose data may have been compromised. 

On Wednesday morning, May 10, 2006, Mr. Duffy again briefed Mr. Bowman and 
provided him with a copy of the May 5, 2006, memorandum. Mr. Duffy recalled that he 
defined terms and acronyms contained in this memorandum, such as SAS, NSV, and 
BIRLS, for Mr. Bowman. Mr. Duffy stated that Mr. Bowman made a number of notations 
on the memorandum. Although Mr. Duffy recalled explaining that the BIRLS system is 
used by VBA, in particular, to identify veterans and match up names, social security 
numbers, and claim numbers, he could not recall providing Mr. Bowman with an 
estimate of the number of records lost in the burglary. 

Mr. Duffy stated that it was his intention to reveal the loss of data to the Deputy 
Secretary, but decided to inform Mr. Bowman on May 9, 2006, when the weekly 
Tuesday meeting convened by the Deputy Secretary was cancelled. When asked why 
he did not notify the Chief of Staff or the Deputy Secretary when the OPP&P ISO's 
original "White Paper" was completed on May 5, 2006, Mr. Duffy admitted that there 
was no real sense of urgency on his part. He perceived the problem to be limited to the 
20,000 or so veterans in the NSV and the approximately 6,000 veterans in the mustard 
gas file. He acknowledged knowing there were personal identifiers in the stolen 
information and that VA had an obligation and a responsibility to mitigate it. However, 
he added that he knows how VA operates — "they do not do crisis management." 
Mr. Duffy said he did not perceive this as a crisis. In hindsight, he added that his 
greatest regret is that he "failed to recognize the magnitude of the whole thing." 

Mr. Duffy advised us that he was not contacted about the incident after his May 10, 
2006, meeting with Mr. Bowman until May 17, 2006, when he was invited to participate 
in a pre-brief for the congressional hearing and was handed a copy of a May 17, 2006, 
memorandum written by Mr. McLendon. This was the first time Mr. Duffy saw that more 
than 26 million records were involved and included social security numbers and other 
information. Mr. McLendon's May 17, 2006, memorandum was written in response to a 
request from the VA General Counsel on May 16, 2006, asking that specific information 
about the loss be determined and documented by OPP&P. Mr. Duffy was not aware of 
the request from OGC or Mr. McLendon's response after it was submitted to OGC. 

The Deputy Assistant Secretary for Security and Law Enforcement Did Not IVIalce 
the Appropriate Inquiries to Notify Appropriate Law Enforcement Entities of the 
Potential Impact on VA Programs and Operations 

VA regulations require all VA employees to immediately report information about actual 
or possible violations of criminal laws related to VA programs, operations, facilities, 
contracts, or information technology systems to their supervisor, any management 
official, or directly to the OIG (38 C.F.R. 1 .201 ). Information about actual or suspected 
violations of criminal laws related to VA programs, operations, facilities, or involving VA 
employees, where the violation of criminal law occurs on VA premises will be reported 
by VA management officials to the VA police (38 C.F.R. 1.203). 
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Our investigation found that the employee complied with the provisions of 
§§1 .201 and 1 .203 when he reported the theft of his personal computer and 
external hard drive to his supervisors and VA law enforcement. We concluded 
that Mr. John Baffa, Deputy Assistant Secretary for Security and Law 
Enforcement, failed to take appropriate action to determine if there was an actual 
or possible crime involving VA programs and operations. If he had made the 
proper inquiries, he would have known that the theft was a possible violation of 
criminal laws relating to VA programs that was required under §1 .203 to be 
reported to the appropriate Federal law enforcement entity for investigation, 
including the VA Inspector General. An inquiry also would have determined that 
the theft of the data was a potential felony involving VA programs that was 
required to be reported to the OIG under the provisions of 38 CFR §1 .205. 

Mr. Baffa told us that late morning on May 4, 2006, Mr. Doyle called him and asked if he 
heard anything regarding a burglary or theft of a computer. Mr. Doyle advised Mr. Baffa 
that an employee had called him the day before and was "concerned because his house 
had been broken into and his personal computer stolen" and, when the employee was 
asked why he was calling the Office of Security and Law Enforcement, "he said that 
there might have been some VA material on it." 

Based on his conversation with Mr. Doyle, Mr. Baffa was aware that the stolen data may 
have contained VA material. While he may not have had sufficient information at the 
time to comprehend the significance of the incident, he did not take appropriate action 
to determine if there was a crime involving VA programs, operations, or employees. He 
did not make any inquiries to determine what "VA materials" may have been stolen; 
whether the "VA materials" included information protected by the Privacy Act, a VA 
confidentiality statute, or the Health Insurance Portability and Accountability Act 
(HIPAA); whether the employee had violated Federal law by inappropriately accessing 
the information; whether the employee had violated the Privacy Act or other statute by 
disclosing protected information, etc. Had he made these inquiries, he should have 
recognized the significance of the matter and contacted the Department of Justice 
(DOJ), the OIG, or other appropriate law enforcement entity to ensure that they were 
aware of the magnitude of the data on the stolen and the potential impact on VA. 

In his interview, Mr. Baffa implied that he may have acted differently if he had been 
informed that the employee had told Mr. Doyle that the theft "could be a career-ending 
incident for him." We do not believe this exonerates Mr. Baffa from his obligation to 
determine if there was a crime or possible crime that potentially involved VA because 
Mr. Baffa knew the most important fact— that VA material may have been stolen. 

Mr. Baffa's decision not to take any further action because the OPP&P ISO was working 
on the issue also does not relieve him of his duty to exercise due diligence to determine 
if a crime occurred involving VA programs and report to the appropriate law 
enforcement entity. Mr. Baffa also told us that later in the day on May 4, 2006, he 
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looked in the VA directory and determined that the employee worked in OPP&P. He 
then went there to inquire whether someone reported the theft of a computer. He said 
he met with the ISO, who told him that he was working on it. Mr. Baffa said that he took 
no further action because he felt it was the ISO's responsibility as the ISO to investigate 
the matter, which he understood to be a computer security issue. He added that if 
nothing had been physically stolen from VA and the SOC is notified, then once they do 
what they have to do they would then notify him that he had a problem. 

There is nothing in the law or policy that provides the ISO jurisdiction to investigate 
potential criminal activity. As discussed in Issue 5, the relevant VA policies, VA 
Directive and Handbook 6210 and VA Handbook 6502.1, do not require the ISO or PO 
to conduct a criminal investigation and do not require any reporting to law enforcement. 
In addition, there is no VA policy that requires the Office of Security and Law 
Enforcement to wait until the ISO or PO conducts an investigation. The Office of 
Security and Law Enforcement has responsibility for ensuring that crimes or potential 
crimes involving VA property, programs, and operations are investigated. 

Conclusion 

While no policy was violated in the handling of the incident, staff and senior managers 
who were notified of the theft failed to take appropriate action to determine the 
magnitude of what was stored on the stolen external hard drive, or whether it was 
encrypted or otherwise protected. The failure to determine this resulted in not 
recognizing the potential significance on VA programs, operations, and veterans. Since 
the local police were not told for 13 days that VA data was stolen during the burglary, 
valuable forensic evidence was most likely lost. The delay also prevented the burglary 
from receiving the urgency it warranted from Federal law enforcement agencies. 

Poor communication, partially resulting from a dysfunctional working relationship among 
senior OPP&P executives, contributed to the 6-day delay in notifying the Office of the 
Secretary. While there was considerable rhetoric among OPP&P management 
concerning the need to identify the extent and scope of the stolen data, there was 
virtually no follow-up to obtain results. Also, the lack of urgency in addressing this issue 
was impacted by the false assumption that the SOC had the responsibility to investigate 
the incident and make all required notifications. This led to the situation where the 
magnitude of the problem was still undetermined when brought to the attention of the 
VA Chief of Staff 6 days after the burglary. Both Mr. Duffy and Mr. McLendon bear 
responsibility for the impact that their strained relationship, which both acknowledged, 
may have had on the operations of OPP&P in handling the aftermath when it occurred. 

Recommendation 

Based on the circumstances presented in this section, we recommend that the 
Secretary take whatever administrative action he deems appropriate concerning the 
individuals involved. 
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Issue 3: Whether the Secretary's Immediate Staff Demonstrated a 
Lack of Urgency in Notifying the Secretary 

Findings 

On Tuesday, May 9, 2006, Mr. Duffy notified Mr. Bowman of the data theft. 
Mr. Bowman asked Mr. Duffy to provide him additional details regarding what data may 
have been breached, and the following morning, Wednesday, May 10, 2006, Mr. Duffy 
gave Mr. Bowman the "May 5th memorandum," as discussed in Issue 2. At 
approximately 1:30 p.m. on May 10, 2006, Mr. Bowman provided a copy of this 
memorandum to Mr. Jack Thompson, Deputy General Counsel, and asked him to 
provide an assessment of the agency's duties and responsibilities to notify individuals 
whose identifying information was compromised. Also on the afternoon of May 10, 
2006, Mr. Bowman informed Mr. Gordon Mansfield, Deputy Secretary, of the burglary 
and the stolen VA data. 

It was not until the morning of May 16, 2006, after the Chief of Staff was informed by the 
Inspector General that the stolen data most likely contained records with personal 
identifiers on approximately 26 million records, that Mr. Bowman notified the Secretary 
of the theft and magnitude of the lost data. Six days of the 7-day delay in notifying the 
Secretary was spent waiting for legal advice from OGC on VA's legal responsibility to 
notify individuals potentially impacted by the loss of the data. This 6-day delay can be 
attributed to a lack of urgency on the part of those requesting this opinion and those 
responsible for providing the response. This is not to say that everyone who was 
notified of the incident failed to recognize the importance of this matter, but no one 
clearly identified this as a high priority item and no one followed up on the status of the 
request until after the May 16, 2006, call from the Inspector General. 

VA Chief of Staff and Deputy Secretary Waited 7 Days Before Notifying the 
Secretary of the Data Loss 

Mr. Bowman told us that Mr. Duffy first informed him of the burglary and loss of data 
containing personal identifiers on Tuesday, May 9, 2006. He said they had been having 
some "light conversation" when Mr. Duffy said, "I may as well bring to your attention the 
fact of this loss of information." Mr. Bowman said he asked Mr. Duffy to provide him 
written details regarding what data may have been stolen from the employee's home 
because he wanted to provide those details to OGC and obtain advice as to what VA 
must do with respect to notifying veterans about the loss. 

According to Mr. Duffy and Mr. Bowman, the two met again the next morning, May 10, 
2006, and Mr. Duffy provided Mr. Bowman a copy of the May 5, 2006, memorandum. 
Mr. Bowman told us that when they discussed the memorandum, he wrote notes on his 
copy as Mr. Duffy talked. One notation was "20k records." Mr. Bowman told us he 
thought that note referred to the size of the 2001 NSV database and several witnesses 
confirmed that approximately 20,000 veterans were surveyed. Mr. Bowman's note, 
however, was placed on the memorandum next to the description of BIRLS and not 
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near the description of the NSV. Nevertheless, according to Mr. Bowman, Mr. Duffy 
said the loss "could be as little as 20-sonne thousand or it could be millions." 
Mr. Bowman said he questioned Mr. Duffy if he was referring to BIRLS when he said the 
loss could be millions, and said Mr. Duffy responded, "It could go that high if that's in 
fact what was lost." He said he recalled Mr. Duffy using the figure "up to 24 million," to 
explain the magnitude of records contained in BIRLS. 

Mr. Bowman informed us that on May 10, 2006, he took a copy of the May 5, 2006, 
memorandum to Mr. Thompson and asked for advice on what the VA's notification 
requirements were as a result of the loss of sensitive data. He told us he did not recall 
giving Mr. Thompson a deadline to provide a response, nor did he remember whether 
he conveyed a sense of urgency regarding the need for a quick response. 

Mr. Bowman stated he also informed Deputy Secretary Mansfield on May 10, 2006, and 
provided him a copy of the May 5, 2006, memorandum with his "20k records" notation. 
According to Mr. Bowman, he told Mr. Mansfield that the loss could be "as small as 
20,000 and it could be in the millions— the BIRLS system." Again, he told us, "I 
remember specifically telling the Deputy... we don't have any feel for whether it is as 
little as 20,000 or in the millions." Mr. Bowman said he told the Deputy Secretary that 
he requested legal advice from OGC, and that the Deputy Secretary asked to be kept 
informed. 

Mr. Mansfield confirmed that Mr. Bowman told him about the loss of data on May 10, 
2006. He said Mr. Bowman gave him a copy of the May 5, 2006, memorandum 
containing Mr. Bowman's handwritten notes, including the notation "20k records." 
Mr. Mansfield told us it was his understanding that the 20,000 records represented an 
extract of BIRLS and that OPP&P was attempting to determine which subsets of that 
database were involved. He said he asked Mr. Bowman to find out more information 
regarding how many and which files were stolen. He told us that based on the briefing 
he received from Mr. Bowman, he believed potentially 20,000 records were involved. 

Because the Deputy Secretary's recollection of the conversation differed from 
Mr. Bowman's concerning the issue of the magnitude of the loss we had a follow-up 
conversation with Mr. Bowman, who stated that it is possible that he advised the Deputy 
Secretary that BIRLS may have been lost, assuming that the Deputy Secretary would 
have recognized that BIRLS contained millions of records. 

Mr. Mansfield told us that he and Mr. Bowman did not discuss notifying the Secretary. 
He said they were trying to get more information about the loss in order to be able to 
give the Secretary more details and to identify what needed to be done as far as 
notifying what he believed at the time was approximately 20,000 veterans. He said had 
he known the loss affected 26 million veterans he might have notified the Secretary 
immediately, but thinking the loss was around 20,000 records he wanted to get more 
information on exactly what happened. 
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Mr. Mansfield told us that, although he and the Secretary converse on a daily basis, he 
did not notify the Secretary about the data loss immediately after he first learned of it. 
Mr. Mansfield said that he had commented during the meeting with Mr. Bowman on the 
need to find out exactly what the size of the lost data was and to check with OGC on 
what else they needed to do to brief the Secretary. After the meeting, the Deputy 
Secretary left work on a personal matter and was out of the office either on personal 
business or speaking engagements from the afternoon of May 11-16, 2006. 

Mr. Bowman took no further action on this matter until he received a telephone call from 
the Inspector General (IG) at approximately 8:30 a.m. on Tuesday, May 16, 2006. 
During the call, Mr. Bowman was informed that OIG staff learned through an interview 
with the employee that personally-identifiable data, including names, dates of birth, and 
social security numbers for as many as 24-26 million veterans may have been taken 
during the burglary. Mr. Bowman acknowledged to the OIG officials that he was aware 
of the incident, but did not know the magnitude of the loss. Mr. Bowman acknowledged 
that he thought the incident involved "hundreds of thousands" of records. The IG 
informed Mr. Bowman that the Secretary needed to be briefed on this issue. 

Shortly after the telephone call from the IG on May 16, 2006, but before he received the 
memorandum from OGC, Mr. Bowman met with the Secretary to inform him of the theft 
and loss of data. He told us he informed the Secretary that he had informed the Deputy 
Secretary of the incident and that the scope of the loss, according to the OIG, was 24- 
26 million records. According to Mr. Bowman, after he advised the Secretary of the 
possible loss, Mr. McClain provided him the memorandum he requested at 
approximately 1 1:00 a.m. that morning. The memorandum was dated May 16, 2006. 

Mr. Bowman told us he did not notify the Secretary sooner because he was waiting for 
the OGC memorandum. He said he wanted "substance and at least some 
organizational understanding" of what he needed to report, as he did not want to alert 
the Secretary "to something that is dramatic unless there is a basis for it," and if the 
facts showed that the matter was not urgent he did not want to "take up time with 
something that... can maybe be put in a memo that he can look at leisurely." While 
acknowledging that he enjoyed an "open door" relationship with the Secretary, 
Mr. Bowman decided he wanted to first work with the Deputy Secretary and other senior 
leadership, using the anticipated advice from OGC, to develop a strategy for responding 
and a set of recommendations. However, Mr. Bowman said that, after receiving the 
telephone call from the Inspector General, he felt he needed to tell the Secretary without 
waiting any longer for the OGC memorandum. He told us, in retrospect, he realized he 
should have given the Secretary the same notice he gave the Deputy Secretary on 
May 10, 2006. 

A Lack of Follow-Up and Editorial Changes Delayed OGC Legal Advice to the 
Chief of Staff for Several Days 

At approximately 1:30 p.m. on Wednesday, May 10, 2006, Mr. Bowman met with 

Mr. Thompson and provided him a copy of the May 5, 2006, memorandum. According 
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to Mr. Thompson, Mr. Bowman asked him what VA's legal obligations were to the 
individuals whose identities may have been compromised as a result of the theft. While 
Mr. Thompson acknowledged he knew the issue was significant because it was unusual 
for the Chief of Staff to personally request an opinion, he told us Mr. Bowman neither 
told him about the magnitude of the loss nor gave him a deadline for responding. 
Regarding a deadline, Mr. Thompson noted that Mr. Bowman had come to his office 
about an hour earlier on another matter and gave him a 30-minute deadline to respond. 

Mr. Thompson put a routing slip on the memorandum Mr. Bowman provided and wrote 
on it, "The Chief of Staff asks, 'What is VA's responsibility in terms of notifying the 
individuals whose identities may become known as a result of this theft?' " He 
addressed the routing slip to OGC Professional Staff Group 4 (PSG 4), which handles 
information law issues, but did not establish a deadline for the response. He said he 
believed it was "self evident that this was a priority matter" because the Chief of Staff 
had handed the memorandum to him and he had it hand-carried to the individuals 
responsible for addressing the issue. 

According to Mr. Thompson, an administrative assistant delivered the memorandum to 
PSG 4, where another administrative assistant told us she recalled leaving the package 
on the chair of Mr. Jeff Corzatt; an attorney in PSG 4. Mr. Corzatt told us he found the 
folder in his chair on May 10, 2006. He said he wrote a response to the question written 
on the routing slip that afternoon, thought overnight about what he had written, and 
made some changes the next day. May 1 1 , 2006. He said he then gave the response 
to his supervisor, the PSG 4 Deputy Assistant General Counsel, that afternoon. 
Mr. Corzatt told us he considered the response final on May 1 1 , 2006, less than 24 
hours after he was assigned to write it. He told us he was not at work on Friday, 
May 12, 2006. 

The PSG 4 case tracking system documents that the response was approved by its 
management on Friday morning, May 12, 2006, and hand-carried to the General 
Counsel's office for review and approval. An administrative assistant in the General 
Counsel's office told us she received it that morning, and while proofreading it she 
noticed a need for minor edits. She marked them and personally hand-carried the 
folder on Friday afternoon to an administrative assistant in PSG 4 to have the edits 
made. The case tracking system indicates the edits were made on Monday, May 15, 
2006, and returned that afternoon. 

Mr. Thompson told us he did not discuss the Chief of Staff request with the attorney 
who prepared the memorandum, nor did he follow up on it. Mr. McClain said he was 
not aware of the request for legal advice by Mr. Bowman prior to May 16, 2006, and that 
Mr. Thompson had not talked to him about either the loss of data or the request. 
Mr. McClain said he first saw the memorandum in his in-box in the early morning of 
May 16, 2006, and reviewed it and signed it. Mr. McClain said that the call from the IG 
came shortly after that. He then went back to his office and retrieved the memorandum, 
made copies, and took it to the 1 1 :00 a.m. meeting with the Chief of Staff and others. 
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The May 5, 2006, memorandum that Mr. Bowman gave Mr. Thompson expressly stated 
that the information possibly stolen contained "a copy of the BIRLS production file in 
SAS format which contained SSN, DOB and NAME for living and deceased veterans." 
In addition, the memorandum also mentioned that a CD "contained BIRLS' First, Last, 
and Middle Names for each veteran in the C&P Mini-Master." Prior to becoming Deputy 
General Counsel, Mr. Thompson spent many years in OGC as the Assistant General 
Counsel for PSG 2, which provides legal advice and assistance to VBA. As an attorney 
for VBA, Mr. Thompson should have had knowledge about major VBA databases such 
as BIRLS and the C&P file. While he may not have been familiar with the full extent of 
details in these databases, he should have known that the records of millions of 
veterans were contained in them and, therefore, were potentially compromised. 

The OGC attorneys involved in addressing Mr. Bowman's request limited their response 
to the specific question he asked: "What was the duty of VA to notify the individuals 
whose personal data may have been lost or compromised?" Between May 10 and 
May 16, they took no affirmative action to assist or advise VA of any other issue related 
to the incident until after the IG provided information on the magnitude of the loss. 

Conclusion 

Although Mr. Bowman acknowledged he knew the VA data stolen on May 3, 2006, 
could affect the records of millions of veterans, he demonstrated no urgency in notifying 
the Secretary of the incident. He notified Mr. Mansfield the day after he learned of the 
loss, but Mr. Mansfield too decided not to raise the issue to the Secretary until they 
knew more information on what VA's legal responsibilities were and more about the 
magnitude of the problem. Mr. Mansfield recalled instructing Mr. Bowman to focus on 
identifying these issues; however, Mr. Bowman does not recollect being asked to obtain 
any additional information other than the legal advice from OGC. Yet, during the 6 days 
following his request for legal advice from OGC, Mr. Bowman did not follow up to 
determine its status of the request, or task anyone to develop a more definitive 
description of how many veterans' records may have been stored on the stolen external 
hard drive. While Mr. Bowman states that he was aware that it could have been 
millions, no effort was made to clearly identify what was in the stolen files. The OIG 
was able to determine the extent of the stolen data after one interview with the 
employee on May 15, 2006. It is unexplainable as to why the employee, who reported 
the stolen data, was never consulted by anyone in the management chain-of-command 
except the GS-13 ISO/PO for OPP&P, until May 16, 2006. 

Recommendation 

Based on the circumstances presented in this section, we recommend that the 
Secretary take whatever administrative action he deems appropriate concerning the 
individuals involved. 
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Issue 4: Whether Information Security Officials Effectively Triggered 
Appropriate Notifications and an Investigation of the Stolen Data 

Findings 

As soon as the employee returned to duty on May 5, 2006, the OPP&P ISO obtained 
from him information concerning the theft of the data and forwarded it to the SOC, an 
organizational component of the Office of Cyber and Information Security, and to the 
District ISO, who is responsible for coordinating ISO activities among VACO staff 
offices. However, the OPP&P ISO's incident report had significant errors and 
omissions, and information security officials did not adequately attempt to identify the 
magnitude of the incident or elevate it until their role was overtaken by events on 
May 16, 2006. 

At nearly every step, VA information security officials with responsibility for receiving, 
assessing, investigating, or notifying higher level officials of the data loss reacted with 
indifference and little sense of urgency or responsibility. Although the employee met 
with the ISO for OPP&P on his first day back in the office following the burglary, no 
effort was made to determine the magnitude of the data loss at this meeting or later 
when the information was relayed to other responsible officials, including the District 
ISO and officials in the SOC. At no time prior to the IG call on May 16, 2006, did 
anyone attempt to re-interview the employee to gain a better understanding of the 
scope and severity of the potential data loss. 

Efforts to investigate the incident were further impeded by errors and omissions in the 
ISO incident report and were delayed due to ineffective coordination between the 
OPP&P ISO and the SOC incident team lead. The senior management official with 
responsibility for the SOC reacted with indifference by not attempting to ascertain the 
scope of the potential breach and relying on lower-level employees to investigate and 
document the incident appropriately and in a timely manner without sufficient follow-up 
or oversight. His superior acknowledged that he was not informed by any of his staff 
about the incident, and also did not become aware of it until May 16, 2006. 

Twelve days after receiving the original incident report, the SOC had made no 
meaningful progress in assessing the magnitude of the event and had attempted to 
pass responsibility to gather information on the incident back to the OPP&P PO. 
Coincidentally, this is the same individual who referred the matter to the SOC in the first 
place, which he did in his dual capacity as ISO for OPP&P. 

The OPP&P ISO's Incident Report Contained Significant Errors and Omissions 

To ensure timely and appropriate responses to information security incidents, VA policy 
requires VA organizations to notify their assigned ISO promptly when such incidents 
occur, including incidents of unauthorized disclosure or loss of VA data. The policy 
further assigns the ISO responsibility for reporting these incidents to the SOC. The ISO 
for OPP&P has served in that capacity since 2002. 
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